Document security increasingly critical for mobile Internet users

ESET launches mobile security product for Airtel Nigeria
ESET launches mobile security product for Airtel Nigeria. (Image Source:
Photography for Striata in May 2015 by Jeremy Glyn.
Photography for Striata in May 2015 by Jeremy Glyn.

Most consumers in Africa will experience the online world first, and in many cases exclusively, via their mobile devices. PC and fixed internet penetration on the continent remain low and neither are expected to catch up to mobile.

According to the ITU, 20.7% of Africans had internet access in 2015, and mobile broadband penetration had reached 17.5% by 2015, compared to fixed broadband which was available in fewer than 1 in 100 households.

The increasing penetration of smartphones in Africa’s larger economies (34% in South Africa, 27% in Nigeria) is another indicator that mobile access will continue to dominate on the continent. It follows that users signing up to receive personal documents by email (invoices, statements, payslips and policies) as opposed to physical mail, are going to be accessing these documents on their mobiles.

For organisations communicating with mobile users, special consideration needs to be given to the protection of personal information and confidential documents that are delivered by email or accessible via an app. Security threats directed at mobile users specifically are becoming increasingly sophisticated, with hackers now targeting mobile payment systems as well as mobile browsers.

Securing private documents on a mobile is a combination of the sender’s responsibility in terms of encrypting and protecting that document; and the mobile user’s responsibility in terms of ensuring the device is secure.

What to do if you are sending confidential documents to customers:
Companies have no means to manage the inherent security of the mobile devices they are sending information to. This means the security of the data/documents needs to be approached by the sender as if the device is unsecured.

Documents delivered by email should be encrypted and password protected. Basic PDF encryption is not sufficient, neither is using an easily identified password like an ID number. To really protect the personal data inside a document, it should encrypted AND password protected with a medium to strong password.

If confidential documents or data are made accessible via a proprietary application, the application must not automatically log the user in or store the login details. If it’s not possible to add a security layer into the app process, then each document needs to be protected.

Perhaps most importantly, the company should continually educate its customers on emerging risks and the appropriate mobile device and application security. In as many customer touch points as possible, reiterate the security principles that will protect their confidential information.

What to do if you are receiving personal documents via email or app on your phone:
Every smartphone should have a pin or passcode to access the device; this renders the contents inaccessible should the handset be lost or stolen. The auto-lock should automatically lock the phone after a period of inactivity (our mobile device security policy stipulates an auto-lock delay of 3 minutes). This can be frustrating for users, but from a security point of view – it must be enabled.

Users should be picky about what applications they download and use regularly. Only download apps from official app stores and even then understand what the risks may be (Apple’s app store approves apps before publishing, but Android is less stringent). If you are concerned about the legitimacy of an app, read the reviews and use Google to see if there is any online chatter about known vulnerabilities.

If you are using free/default apps to read documents – such as iBooks to read PDF – make sure you apply updates as soon as they are released. The same goes for proprietary apps – some updates include security enhancements, meaning the app may have had vulnerabilities in the previous version that have been fixed in the new version.

Don’t allow apps that store sensitive information to ‘store’ your password or automatically log you in. Banking, payment, shopping, even social media apps store information that is valuable to a criminal. Rather log in each time, and once you have finished what you need to do, remember to logout.

Implement dual factor authentication (username & password plus a one-time PIN, for example) on the apps that offer this security layer – especially those that store your personal information or documents. The recent media attention around a 2012 leak of profile data from Linkedin has prompted the social media company to recommend two factor authentication to all its users. Gmail, Facebook, Twitter and Instagram are commonly used apps that allow for two factor authentication.

All major smartphone manufacturers allow for a remote ‘wipe’ of the data stored on a handset. This is advisable if the device is stolen while not locked – the remote wipe will remove any sensitive data. Of course, it’s advisable to do regular backups of your phone data, so that when you get a replacement, you can restore all your information.

By Stergios Saltas, Managing Director of Striata SA.